GDPR Right To be forgotten - is proof of deletion a requirement?

Hi all,

We've had the ability for people from GDPR countries to request for their data to be deleted from Marketo/SFDC since GDPR kicked-in. If they submit a form, automation deletes them from the system. So far so good.

But, some within the organisation feel that we need some way to prove (in a court of law I guess) that we have indeed deleted someone we were supposed to delete.

My stance has been that if we keep a record of the details of the people we delete, then in fact we are still keeping their personal info, thus breaking GDRP. And if we only keep a token such as their Marketo or SFDC id, then that becomes worthless as proof after the record has been deleted.

Re: GDPR Right To be forgotten - is proof of deletion a requirement?

So in the case where a user has exercised theRight to be Forgotten (in regards to all of their data), that user’s personal data would technically no longer exist on your systems and as such the user would no longer be “identifiable” by you or your systems.

Article 12 of the GDPR states:

"The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject."

This means that data controllers are exempt from the fulfilment of “Users’ Rights”, where the data subject cannot be identified — as in the case where all of the user’s personal data is removed from your systems in the fulfilment of the initial request.

In this situation, there would be no possibility or need to “provide proof” of something that no longer exists in relation to an identifiable person.

In practical terms, the best way to handle such a request would be toclearly inform the user (at the time of the initial request)that in fulfilling the request, all their data will be removed and that it would, therefore, be impossible for them to exercise any further rights in regards to this data as the data will no longer exist on your systems.

Anotherrequired(in most cases) and practical way of maintaining proof of your overall compliance is to maintain valid records in regards to your processing activities (like your delete smart campaigns) andacquisition of consent (where applicable). This way, you are better equipped to prove (to the Authority or otherwise) that you have systems in place to facilitate the fulfilment of User’s Rights, even if the data in question is no longer available.

Re: GDPR Right To be forgotten - is proof of deletion a requirement?

So in the case where a user has exercised theRight to be Forgotten (in regards to all of their data), that user’s personal data would technically no longer exist on your systems and as such the user would no longer be “identifiable” by you or your systems.

Article 12 of the GDPR states:

"The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject."

This means that data controllers are exempt from the fulfilment of “Users’ Rights”, where the data subject cannot be identified — as in the case where all of the user’s personal data is removed from your systems in the fulfilment of the initial request.

In this situation, there would be no possibility or need to “provide proof” of something that no longer exists in relation to an identifiable person.

In practical terms, the best way to handle such a request would be toclearly inform the user (at the time of the initial request)that in fulfilling the request, all their data will be removed and that it would, therefore, be impossible for them to exercise any further rights in regards to this data as the data will no longer exist on your systems.

Anotherrequired(in most cases) and practical way of maintaining proof of your overall compliance is to maintain valid records in regards to your processing activities (like your delete smart campaigns) andacquisition of consent (where applicable). This way, you are better equipped to prove (to the Authority or otherwise) that you have systems in place to facilitate the fulfilment of User’s Rights, even if the data in question is no longer available.

Re: GDPR Right To be forgotten - is proof of deletion a requirement?

Through Acquisition of Consent and processing activities, I did not mean that you should keep record of that for each individual user after deletion record, instead, I meant that in general it is advised to keep all the processes well documented and in-place to prove that all your processes and architecture is GDPR or respective geographical legislations complaint! 🙂